So on my website I have a field for users where they can set a profile description of a max 100 letters. My problem is that they can use html for their profile description! I use a as input for their description and is put directly into the mysql database.
Here is the code for displaying their profile description
<div id="mid-profile-desc">
<p><?php echo $userProfileDesc;?></p>
</div>
<!--String is just this from database: $userProfileDesc = $row["profiledesc"];-->
But with this users when setting their profile description they can use languages such as html,css,javascript,php & a lot more. They can also control my database with that.
So how can I disable users from using all of those? I could probably just ban the "<" and ">" letters but that is probably not safe either. Any good ways of doing this with it being safe as well?
The user input is currently displayed without filter. This means that, although people cannot use php code, they can insert any html tags or javascript into your website, and using xss attacks.
The solution for that is htmlspecialchars
<?php echo htmlspecialchars($userProfileDesc); ?>
It is generally not a problem to have unescaped html in your database, however you do need to worry about things like sql injections. Use parametrized queries to avoid those.